feat: add permission checks for menus, view routes

2024-08-14 21:20:00 -05:00 · 2024-08-14 21:20:00 -05:00 · e3942ce65e
commit e3942ce65e
parent 675b51cac2
11 changed files with 537 additions and 40 deletions
--- a/tests/test_subscribers.py
+++ b/tests/test_subscribers.py
@ -2,7 +2,7 @@

 import json
 from unittest import TestCase
-from unittest.mock import MagicMock
+from unittest.mock import MagicMock, patch

 from wuttjamaican.conf import WuttaConfig

@ -210,6 +210,137 @@ class TestNewRequestSetUser(TestCase):
        self.assertTrue(self.request.is_admin)
        self.assertTrue(self.request.is_root)

+    def test_user_permissions(self):
+        model = self.app.model
+        auth = self.app.get_auth_handler()
+        event = MagicMock(request=self.request)
+
+        # anonymous user
+        self.assertFalse(hasattr(self.request, 'user_permissions'))
+        subscribers.new_request_set_user(event, db_session=self.session)
+        self.assertEqual(self.request.user_permissions, set())
+
+        # reset
+        del self.request.user_permissions
+
+        # add user to role with perms
+        blokes = model.Role(name="Blokes")
+        self.session.add(blokes)
+        auth.grant_permission(blokes, 'appinfo.list')
+        self.user.roles.append(blokes)
+        self.session.commit()
+
+        # authenticated user, with perms
+        self.request.user = self.user
+        subscribers.new_request_set_user(event, db_session=self.session)
+        self.assertEqual(self.request.user_permissions, {'appinfo.list'})
+
+    def test_has_perm(self):
+        model = self.app.model
+        auth = self.app.get_auth_handler()
+        event = MagicMock(request=self.request)
+
+        # anonymous user
+        self.assertFalse(hasattr(self.request, 'has_perm'))
+        subscribers.new_request_set_user(event, db_session=self.session)
+        self.assertFalse(self.request.has_perm('appinfo.list'))
+
+        # reset
+        del self.request.user_permissions
+        del self.request.has_perm
+        del self.request.has_any_perm
+
+        # add user to role with perms
+        blokes = model.Role(name="Blokes")
+        self.session.add(blokes)
+        auth.grant_permission(blokes, 'appinfo.list')
+        self.user.roles.append(blokes)
+        self.session.commit()
+
+        # authenticated user, with perms
+        self.request.user = self.user
+        subscribers.new_request_set_user(event, db_session=self.session)
+        self.assertTrue(self.request.has_perm('appinfo.list'))
+
+        # reset
+        del self.request.user_permissions
+        del self.request.has_perm
+        del self.request.has_any_perm
+
+        # drop user from role, no more perms
+        self.user.roles.remove(blokes)
+        self.session.commit()
+        subscribers.new_request_set_user(event, db_session=self.session)
+        self.assertFalse(self.request.has_perm('appinfo.list'))
+
+        # reset
+        del self.request.user_permissions
+        del self.request.has_perm
+        del self.request.has_any_perm
+        del self.request.is_admin
+        del self.request.is_root
+
+        # root user always has perms
+        admin = auth.get_role_administrator(self.session)
+        self.user.roles.append(admin)
+        self.session.commit()
+        self.request.session['is_root'] = True
+        subscribers.new_request_set_user(event, db_session=self.session)
+        self.assertTrue(self.request.has_perm('appinfo.list'))
+
+    def test_has_any_perm(self):
+        model = self.app.model
+        auth = self.app.get_auth_handler()
+        event = MagicMock(request=self.request)
+
+        # anonymous user
+        self.assertFalse(hasattr(self.request, 'has_any_perm'))
+        subscribers.new_request_set_user(event, db_session=self.session)
+        self.assertFalse(self.request.has_any_perm('appinfo.list'))
+
+        # reset
+        del self.request.user_permissions
+        del self.request.has_perm
+        del self.request.has_any_perm
+
+        # add user to role with perms
+        blokes = model.Role(name="Blokes")
+        self.session.add(blokes)
+        auth.grant_permission(blokes, 'appinfo.list')
+        self.user.roles.append(blokes)
+        self.session.commit()
+
+        # authenticated user, with perms
+        self.request.user = self.user
+        subscribers.new_request_set_user(event, db_session=self.session)
+        self.assertTrue(self.request.has_any_perm('appinfo.list', 'appinfo.view'))
+
+        # reset
+        del self.request.user_permissions
+        del self.request.has_perm
+        del self.request.has_any_perm
+
+        # drop user from role, no more perms
+        self.user.roles.remove(blokes)
+        self.session.commit()
+        subscribers.new_request_set_user(event, db_session=self.session)
+        self.assertFalse(self.request.has_any_perm('appinfo.list'))
+
+        # reset
+        del self.request.user_permissions
+        del self.request.has_perm
+        del self.request.has_any_perm
+        del self.request.is_admin
+        del self.request.is_root
+
+        # root user always has perms
+        admin = auth.get_role_administrator(self.session)
+        self.user.roles.append(admin)
+        self.session.commit()
+        self.request.session['is_root'] = True
+        subscribers.new_request_set_user(event, db_session=self.session)
+        self.assertTrue(self.request.has_any_perm('appinfo.list'))
+

 class TestBeforeRender(TestCase):